The Evolution of Blockchain Security
As the value of assets on the blockchain surpasses $1 trillion in 2023, staying ahead of blockchain-specific cyber threats is more imperative than ever. In our recent update on crypto crime, we noted an encouraging 65% decline in year-over-year illicit transaction volume halfway through 2023. Yet, as the blockchain ecosystem continues to mature, so do the tactics used by cybercriminals. To thrive in this new reality, organizations must adopt a robust security framework.
The rapid growth of decentralized technologies has ignited groundbreaking innovation, but the nature of decentralization presents its own unique challenges. Following similar pathways as the adoption of the Internet, soon every institution will require a blockchain security strategy to safeguard their operations. In this blockchain security overview, we’ll discuss vulnerabilities and exploits commonly encountered in the crypto space, explore protective measures, and take a look at the promising future of on-chain security.
Blockchain Security Models: Public vs. Private
Blockchain security refers to the combination of cybersecurity principles, tools, and best practices in order to mitigate risk and avoid malicious attacks and unauthorized access while operating on blockchain networks. While all blockchains run on distributed ledger technology (DLT), not all blockchains are functionally the same or equally secure.
While both public and private blockchains have their own sets of advantages and disadvantages, their security models are fundamentally different due to the open versus closed nature of their networks. Public blockchains like Bitcoin and Ethereum are open, permissionless networks where anyone can join and participate in validating transactions. The codebase of public blockchains like Bitcoin and Ethereum is open source, meaning it is publicly available and is continually vetted by a community of developers who review the code for bugs, vulnerabilities, and other issues. By leveraging the collective expertise of open-source communities, the security, features, and efficiency of these blockchains are continuously examined and improved.
At the same time, hackers and malicious entities are also continuously examining the code, searching for vulnerabilities to exploit. While the founders are responsible for the initial source code and often inform the progress of the network through active participation, the overall responsibility for securing a public blockchain like Ethereum is distributed among all participants in the network across the world. This includes validators and node operators who maintain the network, and hundreds of thousands of developers who write code. Users also contribute to the overall security of the network by practicing good security hygiene. Since a public blockchain is a decentralized system, no single entity can claim sole responsibility for its security, making it resilient against various types of attacks.
Private blockchains, on the other hand, are exclusive networks with limited access, making them more centralized. This centralized control potentially enhances their resistance to certain external threats. Securing a private blockchain is the sole responsibility of the operating entity. The centralized nature of these blockchains means that there is a single point of failure, making it crucial for the institution to implement strong security measures. Although private blockchains may not benefit as much from the decentralized and security-by-numbers approach of public blockchains, they are generally faster and more efficient due to less computational work required for consensus algorithms. However, because the entity granting permission also has authority over the network, there is a theoretical risk of the network being shut down or manipulated, a security risk that is not typically found in public blockchains.
Blockchain Vulnerabilities and Exploits
Blockchain technology runs on a distributed digital ledger system. A blockchain network is made up of a worldwide network of computers, known as nodes, validating and recording transactions. Every participant maintains a copy of the ledger, so there is no centralized authority or point of failure. Each time a transaction occurs — such as sending or receiving cryptocurrency — it is recorded on a block. Before a block (made up of a group of transactions that occurred during a given time frame) is added to the chain, it must be verified by consensus. That’s where consensus mechanisms come into play.
There are several different consensus mechanisms, but the two most popular methods are Proof-of-Work and Proof-of-Stake. In a Proof-of-Work system, miners compete to solve computationally intensive algorithms to validate transactions. In a Proof-of-Stake system, network participants lock up a certain quantity of tokens to run a node to validate transactions. Miners and stakers are incentivized with rewards to secure the network. This process ensures everyone agrees (or reaches consensus) on the validity of each transaction. Once a block is full, it is sealed and linked to the previous block using a cryptographic code, forming a chain. By linking each block using cryptography and distributing the ledger across numerous computers, any attempt to tamper with a block would disrupt the entire chain. With the ledger visible to all participants, any suspicious activity can be quickly identified.
With blockchain, every participant has a role in maintaining its integrity. This technology is the foundation of popular cryptocurrencies like bitcoin and ether, and holds immense potential for the future of digital transactions and beyond. Unlike traditional finance — which operates on permissions to pull funds — a crypto transaction is a push transaction, initiated peer-to-peer without the need for an intermediary. Participants in blockchain networks control their digital assets on the blockchain with a private key — a cryptographically secured method of authentication and access. Crypto requires you to be deliberate. Because no intermediary is required, personal responsibility becomes much more important when transferring value on-chain. There is no undoing a transaction that is confirmed on the blockchain. This makes it notoriously difficult to recover funds that are lost or stolen.
The notion that blockchain technology is inherently immune to security threats is somewhat misleading, but there are several unique structural features of blockchain that bolster its intrinsic security properties:
- Decentralization: The distributed nature of the network makes it resilient against single points of failure.
- Immutability: Once a transaction is recorded on the blockchain, it cannot be altered or deleted.
- Transparency: The entire transaction history is visible to all network participants, enabling scrutiny and detection of anomalies.
- Cryptography: Advanced cryptographic techniques are used to secure the blockchain and authenticate transactions.
While these defining characteristics are the reason blockchain technology is considered so revolutionary, there are still vulnerabilities that can be exploited. Paradoxically, some of the traits of blockchain (e.g. immutability) can introduce unique complexities if the system itself is compromised.
Blockchain Vulnerabilities and Security Breaches
Blockchain vulnerabilities and security breaches can be broadly broken down in three distinct categories:
- Ecosystem Vulnerabilities: Attacks targeting the underlying infrastructure and network of the blockchain.
- Smart Contract and Protocol Vulnerabilities: Exploits of the applications and financial instruments built on top of the blockchain.
- User and Infrastructure Vulnerabilities: Attacks targeting individual users, wallets, exchanges, and other blockchain-related services.
It’s important to note that this is not an exhaustive list of all the possible types of vulnerabilities. A blockchain with a small number of nodes is more susceptible to ecosystem attacks than a large, well-distributed network. Sybil attacks or 51% attacks, for instance, are now virtually impossible to achieve on blockchains like Bitcoin or Ethereum due to the computing power or quantity of assets required. Nevertheless, it is worthwhile to understand the full scope of risks, especially if your organization is considering using smaller emerging blockchains or developing your own blockchain.
Ecosystem Vulnerabilities
Sybil attack: A Sybil attack occurs when a bad actor targets the peer-to-peer layer of the network in order to gain control of multiple nodes.
51% or double-spending attack: This type of attack targets the consensus layer of Proof-of-Work blockchains. If an entity controls more than 50% of the network’s mining hashrate, they can disrupt the network by attempting to double-spend coins and/or censor transactions.
Centralization risks: While public blockchains aim for decentralization, in practice, factors like mining pools can centralize control and introduce vulnerabilities due to imbalances in the concentration of power. The centralization of infrastructure is also a point of concern. For instance, many blockchain nodes that validate transactions are run on centralized cloud services like Amazon Web Services. If centralized cloud infrastructure was targeted and a large portion of nodes were taken down, a network could become increasingly centralized and thus more vulnerable to other types of attacks.
Blockchain network congestion: This occurs when there are not enough validators to confirm the amount of proposed transactions, leading to delays in transaction processing and an increase in fees. In the worst cases, this can lead to downtime and instability, affecting confidence in the resiliency of a network.
Bridge attacks: Blockchain bridges are tools that connect and allow seamless transfer of assets between different blockchain networks, enhancing the decentralized finance (DeFi) ecosystem. Because bridges store a large amount of assets and are less secure than the blockchains themselves, they are an attractive target to hackers. According to our data, bridge attacks account for 70% of crypto cyber attacks.
Layer2 vulnerabilities: While many of the same general blockchain vulnerabilities apply, there are some considerations unique to L2s including the possibility of transaction censoring from rollup providers and DoS and malware attacks targeting rollup providers.
Smart Contract and Protocol Vulnerabilities
Protocol hacks and exploits: A particular concern in the realm of DeFi, protocol hacks can lead to significant financial losses and damage trust in the greater DeFi landscape. While security audits are commonly conducted to minimize risks, the intricate nature of these financial instruments means that vulnerabilities can easily slip through the cracks. A notable example is the BadgerDAO incident, where a hacker compromised a Cloudflare API key and was able to steal $120M in funds.
Other smart contract vulnerabilities: Coding flaws in smart contracts can be exploited in various ways. The DAO incident on Ethereum is a notable example. An attacker exploited a vulnerability in its smart contract, draining around a third of The DAO’s funds (valued at about $50 million at the time). This event led to a contentious hard fork in the Ethereum community, resulting in the creation of Ethereum (ETH) and Ethereum Classic (ETC).
User and Infrastructure Vulnerabilities
Popular software attacks: Crypto wallets and other popular pieces of software are often targeted by attackers. One notable example is an exploit on a popular Solana mobile wallet Slope, enabling an attacker to steal over $8M worth of SOL. This wallet was so widely used that for a time, it was thought that the Solana blockchain itself was compromised.
Centralized exchange hacks: Cryptocurrency exchanges, which are centralized platforms where users trade digital assets, have always been targets for hackers. One of the most famous incidents is the Mt. Gox hack in 2014, where approximately 850,000 bitcoins were stolen.
Malware: One method used by attackers is to infect a user’s computer with malware designed to steal wallet keys or perform unauthorized transactions. This can be as subtle as malware detecting when a cryptocurrency address is copied, and substituting that address with a bad actor’s wallet address when pasted.
Phishing attacks: Crypto phishing attacks exploit individuals by fooling them into divulging sensitive information, such as private keys or passwords, typically through a bogus website or message that appears authentic.
SIM swap attack: SMS is never recommended as a method for multi-factor authentication due to the possibility of a SIM swap attack. This happens when an unauthorized individual gains access to your SIM card details and transfers them to their own device, gaining control over accounts linked to your phone number.
Social engineering scams: This occurs when an attacker convinces someone to send them cryptocurrency or divulge private keys and passwords under false pretenses.
User error: Losing private keys, accidentally revealing private keys, and sending assets to the wrong address are all risks that crypto users face, but these aren’t flaws in the blockchain itself.
Attacks on DeFi protocols accounted for the majority of cryptocurrency stolen in hacks in 2021 and 2022. A comprehensive blockchain security plan should address not only technical considerations but also governance, risk management, and compliance.
Developing a Robust Blockchain Security Strategy
While the individual components of a successful blockchain security strategy vary depending on use-case, here are some universal considerations:
Understanding the Blockchain Ecosystem
While deep technical knowledge is not required to participate in a blockchain-enabled world, a foundational understanding of the core philosophy is helpful for effectively navigating it. Blockchain is rooted in principles of open-source governance, trustless systems, and peer-to-peer interaction. Understanding the underlying philosophy can help you appreciate why and how blockchain can disrupt traditional business models and empower individual users and institutions.
The internet built on blockchain is fundamentally different from the internet we know today. At scale, it endeavors to offer more control over personal data, greater security, and increased transparency in transactions. This shift implies not only technological changes but also social and economic shifts that will impact how we interact with the world at large.
Assessing Risks and Understanding Use-Cases
Before embarking on any blockchain project or investment, it’s important to understand the stakes and potential risks involved. These can range from financial losses due to volatile cryptocurrency markets to legal implications related to data storage and management. Every blockchain strategy is unique. Whether you’re looking to streamline operations or create a secure voting system, understanding your specific use-case is the first step to support a successful blockchain security strategy.
Vetting Infrastructure and Tools
Identify the hardware and software you need to support your on-chain activities and thoroughly vet your vendors. After all, your security is only as good as your weakest link. Think of your own clients. Have you considered what security clearances the tools and infrastructure you’re using have achieved? For instance, is it important for them to be SOC2, ISO 27001, or GDPR compliant?
Implementing Comprehensive Security Controls
When it comes to blockchain security in an enterprise setting, multiple strategies can come into play, ranging from identifying vulnerabilities in infrastructure to training employees in blockchain cybersecurity. Some companies choose to implement access control mechanisms, identifying who is authorized to interact with assets such as crypto wallets and private keys. Techniques like multi-factor authentication and encryption algorithms are commonly used to bolster security. Role-based access can be an effective way to limit the range of actions available to each user.
In order to minimize risks associated with fraud, errors, or conflicts of interest, many organizations choose to distribute transactional responsibilities among multiple individuals or teams. Privacy and storage needs vary by use-case. Some options include cold storage for long-term asset protection, and multi-signature (multisig) wallets for enhanced transactional security. Establishing fallback measures and backup plans can ensure that transactions and operations can continue smoothly in the event of system malfunctions, personnel unavailability, or other unforeseen circumstances. This might include alternative transaction authorization processes and data backup systems.
Monitoring, Updating, and Educating
Ensuring the security, efficiency, and effectiveness of your tools and technology is a critical component of maintaining agile and resilient security infrastructure. Whether you are a small startup or a large enterprise, continuously monitoring and patching your software and hardware is extremely important. Many institutions deploy real-time monitoring to assess their exposure to various digital assets, protocols, and services and keep up with the latest security updates and news affecting those platforms.
Crypto moves at the speed of light. Regular knowledge and training programs can keep everyone on your team up to speed on best practices, technologies, and threats. Non-custodial solutions like decentralized wallets provide a higher amount of control and autonomy, but they also come with increased responsibility for security. Many institutions prefer to use the services of a trusted custodian to hold assets and/or facilitate transactions, which is functionally much like a bank. This eliminates the peer-to-peer benefits of crypto, but offers the assurance of institutional-grade security. Assets held by custodians are often insured against hacks/exploits targeting the platform itself. It’s important to note that assets held on these platforms are typically not insured against theft due to a bad actor gaining access to your account, so it’s still important to practice good security hygiene like multi-factor authentication.
Blockchain Security Innovations and the Role of Compliance
As digital currencies enter the mainstream, tools for monitoring transactions, and combating crypto crime have become essential for businesses, law enforcement agencies, financial institutions, and regulatory bodies. These security solutions demonstrate the growing maturity of the blockchain ecosystem and the commitment to strengthening operations and promoting widespread adoption.
Blockchain forensics involves examining blockchain data to identify suspicious activities, trace funds, and ensure compliance with regulations. Organizations rely on Chainalysis to handle these activities. Additionally, we provide an incident response retainer to promptly intervene and collaborate with law enforcement in the unfortunate event of a hack to recover stolen assets.
Financial transactions and key operational actions often need to be documented for audit trails, compliance, and legal requirements. While manual accounting is an option, leveraging technology solutions from specialized crypto accounting service providers can greatly streamline this process, reducing the risk of human error and enhancing operational efficiency.
As blockchain technology becomes more integrated into the mainstream, global leaders are grappling with how to negotiate the dance between innovation and regulation. On one hand, there’s a need to ensure that blockchain systems comply with existing laws, especially those concerning anti-money laundering (AML), consumer protection laws, sanctions compliance, and tax and reporting requirements. On the other hand, there’s sentiment to not stifle innovation with overregulation. Upholding the security and integrity of blockchain systems, while also providing a conducive environment for their growth is a complex regulatory challenge.
Although regulations surrounding digital assets are still evolving, compliance is not optional.